C4Tzzz

**Name of the Vulnerable Software and Affected Versions** AnythingLLM versions prior to 1.13.0 **Description** An issue exists where a mobile device token created in single-user mode remains valid after migration to multi-user mode, even if the device record has `userId` set to null. The mobile authentication middleware continues to accept this stale token. Since no user is associated with the request, mobile handlers use unscoped data-access branches, returning workspaces and content without per-user filtering. This allows a pre-migration token to enumerate workspaces assigned to other users and retrieve thread metadata and chat content. **Recommendations** Update to version 1.13.0.

**Name of the Vulnerable Software and Affected Versions** AnythingLLM versions prior to 1.12.1 **Description** An insecure direct object reference (IDOR) exists in the text-to-speech endpoint. The endpoint "/api/workspace/:slug/tts/:chatId" validates workspace membership but fails to enforce ownership of the targeted chat row. This allows an authenticated user to access another user's private assistant response in audio form if the `chatId` is known or guessed. **Recommendations** Update to version 1.12.1.